GO-2020-0009

Source

https://pkg.go.dev/vuln/GO-2020-0009

Import Source

https://vuln.go.dev/ID/GO-2020-0009.json

Aliases

Published

2021-04-14T20:04:52Z

Modified

2023-11-08T03:58:37.873502Z

Details

On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC with HMAC such that they can control how large the input buffer is when computing the HMAC authentication tag. This can can allow a manipulated ciphertext to be verified as authentic, opening the door for padding oracle attacks.

References

Affected packages

Go / github.com/square/go-jose

Package

Name: github.com/square/go-jose

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.0.0-20160903044734-789a4c4bd4c1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/square/go-jose/cipher",
            "goarch": [
                "386",
                "arm",
                "armbe",
                "amd64p32",
                "mips",
                "mipsle",
                "mips64p32",
                "mips64p32le",
                "ppc",
                "riscv",
                "s390",
                "sparc"
            ],
            "symbols": [
                "cbcAEAD.Open",
                "cbcAEAD.Seal",
                "cbcAEAD.computeAuthTag"
            ]
        },
        {
            "path": "github.com/square/go-jose",
            "goarch": [
                "386",
                "arm",
                "armbe",
                "amd64p32",
                "mips",
                "mipsle",
                "mips64p32",
                "mips64p32le",
                "ppc",
                "riscv",
                "s390",
                "sparc"
            ],
            "symbols": [
                "JsonWebEncryption.Decrypt",
                "genericEncrypter.Encrypt",
                "genericEncrypter.EncryptWithAuthData"
            ]
        }
    ]
}